Domain 1 - Security and Risk management Flashcards
Domain one of CISSP
What are some of the controls to provide confidentiality?
Confidentiality refers to ensuring that information is only disclosed and accessilble to authorised individuals.
Controls to achieve:
- Strict access control
- Encrypt data at rest (Whole disk, database)
- Encryption of data in transit (IPSec, SSH and etc)
- Training users on proper data protection methods
What are some of the controls to provide integrity?
Integrity serves to ensure only authorised individuals are permitted to make changes to data.
Issues arise from: Intentional alteration, user error, software or hardware error, acts of nature.
Controls:
- Hashing, Non-repudiation/Digital Signatures
- IDS
- Access control
- Change management/ Configuration management
What are some of the controls to provide availability?
Availability ensures reliable and timely access to data and resources for authorised users.
Common threats: Malicious attackers, Component failures, application failures, utility failures.
Controls:
- Redundant components. i.e power, RAID
- High Availability
- Fault tolerence
- Patching of OS/Application vulnerabilities and flaws
What is the relationship between vulnerability, threat, risk, exposure and control?
- Vulnerability is a weakness in a system that allows a particular threat to comprimise security
- Threat is the potential danger associated with the exploitation of a vulnerability.
- Risk is the likelihood and the corresponding impact.that a threat source exploiting a vulnerabilty.
- Control is a countermeasure put into place to mitigate or reduce the potential risk.
- Exposure is an instance of being exposed to losses from exploitation.
What are the three types of controls?
-
Administrative: Soft or management controls
- Security documentation, Data classification and labeling, backgroud checks.
-
Technical controls: Software or hardware components
- Firewall, IDS, encryption
-
Physical control: Protect facilities, personel, and resources.
- security guards, locks, fences
What are the six functions of controls?
- Preventative: Avoid an incident from occuring. e.g. locks, encryption
- Detective: Identifies an incident occuring, e.g IDS, cameras
- Corrective: Fixes components or systems after an incident. e.g server images
- Deterrent: Intended to discourage attackers e.g. fences, login banner
- Recovery: Bring the environment back up. e.g. offsite faciilty, backups
- Compensating: Alternative measure of control
What are the principles of COBIT?
- Security controls framework.
- Framework for governance and management developed by ISACA
- Five key principles:
- Meeting Stakeholder needs
- Covering the enterprise end to end
- Applying a single integrated framework
- Enabling a holistic approach
- Seperating governance from management
- Ultimately linked to the stakeholders through a series of transforms or cascading goals.
- Specifies 17 enterprise and 17 IT related goals - remove guesswork
What are the principles of NIST SP 800-53?
- Security controls framework.
- Used in the government (US) sector, Cobit commerical sector
- Outlines the controls that agencies need to be compliant with FISMA.
- Control categories to protect CIA include:
- Management
- Operational
- Technical
What is enterprise architecture?
- Conceptual construct to help individuals understand an organisation in digestable chunks.
- When developing an architecture, stakeholders need to be identified, and then “views” need to be developed to provide the information specific to the perspective of the stakeholder.
- Allows both business and technology people to view the same organisation in ways that make sense, reducing confusion, and optimise business functionality.
How does the Zachman Architecture framework work?
- Enterprise Architecture
- Two dimensional model that uses 6 communication interrogatives (What, How, Where, Who, When and Why?) intersecting with different perspectives (executives, developers) to give holistic view.
- Each row should describe the enterprise completely from that perspective.
- Not Security focused.
- Understand an enterprise in a modular fashion
What are the principles of the TOGAF framework?
- Enterprise Architecture model
- Used to develop the following architectures:
- Business
- Data
- Applications
- Technology
- Uses the Architecture Development Method (ADM), which is an iterative and cyclic process that allows requirements to be reviewed and architectures to be updated.
What are the principles of the DoDAF/MODAF framework?
- Enterprise Architecture framework
- Focus on the command, control, communications, surveillance, reconnaissance systems.
- Different types of devices need to communicate using the same protocol and be interoperable with software components but also use the same data elements.
- MODAF developed by the British MOD, another Enterprise architecutre, based on the DODAF
- Get data in the right format to the right people as soon as possible enable
How does Enterprise Security Architecture work?
- Ensure security is aligned with business practices in a cost effective manner.
- Define security strategy in layers of solutions, and processes across and enterprise strategically, tactically, and operationally.
- Goal is to integrate technology-oriented and business centric security process by linking the administrative, technical and physical controls and integrate these processes into the IT infrastructure, business processes and the organisation culture.
How does SABSA work?
- Enterprise Security Architecure
- Layered framework, 1st layer defining business requirements from a security perspective. Each layer decreases in abstraction and increases in detail and moves from policy to implementation.
- Has a lifecycle model of improvement focusing on:
- Strategic Alignment: Legal requirements met.
- Business enablement: core business processes are integrated into security operating model.
- Process enhancement: allow for process management to be redefined and calibrated.
- Security Effectiveness: determine how security solutions are performing.
What are the principles of COSO?
- Controls Framework
- COBIT was derived from COSO
- Identifies 17 control principles grouped into five components:
- Control environment
- Risk Assessment
- Control activies
- Information and communication
- Monitoring activies
- COSO IC is a model for corporate governmance, COBIT for IT governance
- COSO deals at the strategic level, while COBIT is operational.
What are the principles of ITIL?
- Process management framework.
- De facto standard of best practices for IT Service management.
- Provides the goals, the general activies necessary to achieve the goals, as well as the input and output values for each process required to meet these goals.
- Focus is toward internal SLAs between the IT department and the customers it serves.
What are the principles of Six Sigma?
- Process management framework.
- Improves process quality by using statiscal methods of measuring operation efficiency and reducing variation, defects and waste.
- Used to measure the success factos of different controls and procedures.
- Maturity of a process is described by a sigma rating, indicating the percentage of defects.
What are the principles of CMMI?
- Process management standard
- Determine the maturity of an organisations processes
- Used within organisations to help lay out a pathway of how to make incremental improvements.
- There are 5 levels of maturity ranging from 0 - Nonexistent management, to level 5, optimised process.
- Each level represents an evolutionary stage.
What is the best approach to building a Security Program?
- Must be Top down approach - initation, support and direction comes from top management.
- Must utilise a cyclic that is always evaluated and improved, using:
- Plan & Organise (Develop threat profile, architectures)
- Implement (Assign roles, implement blueprints)
- Operate & maintain (audits, execute tasks per blueprints, SLA)
- Monitor &evaluate (Review SLAs, audits, develop improvement steps
- 27000 series is like the description of a house, architecture is the layout of the house, blue prints are like security and electrical systems, and controls are the buildinng specifications and codes.
What are the three categorises of computer crime?
- Computer assisted crime: where the computer was used as a tool to conduct the crime. eg attacking financial systems to steal funds or IP
- Computer targeted crime: where the computer was the victim of the crime. eg DDOS, capturing passwords, malware
- Computer is incidental: where a computer just happened to be involved when a crime was carried out. e.g child porn.